Date: Mon, 1 Apr 2019 20:52:47 +0300 From: Sergey Akhmatov <sergey@akhmatov.ru> To: Victor Sudakov <vas@mpeks.tomsk.su>, freebsd-net@freebsd.org Subject: Re: need help with ipfw nat to pf nat migration Message-ID: <75502aa3-0e10-fbba-d56b-5716e91e7b27@akhmatov.ru> In-Reply-To: <20190401033424.GA95019@admin.sibptus.ru> References: <20190401033424.GA95019@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, Victor. Try using "no nat". table <limited_nat> {8.8.8.8, ..... } nat pass on $ext_if from 192.168.3.0/24 to <limited_nat> -> $(ext_if) no nat on ext_if from 192.168.3.0/24 to any nat pass on $ext_if from 192.168.0.0/16 to any -> $(ext_if) On 01/04/2019 06:34, Victor Sudakov wrote: > Dear Colleagues, > > I'm trying to migrate some firewall rules from ipfw to pf. As pf does > NAT first and filtering after NAT, I have a problem doing the following: > > 1. All 192.168.0.0/16 addresses should be translated to the real IP of > the external interface. > > 2. A subset of the 192.168.0.0/16, for example 192.168.3.0/24, > should have access only to a limited list of addresses in the Internet, > for example 8.8.8.8 only. > > However, because the "nat" rule has already done its job before > filtering, I cannot "block on $ext_if from 192.168.3.0/24 to any" > because the source has already been translated. > > In ipfw I can "deny ip from 192.168.3.0/24 to not 8.8.8.8" before it > even gets into the nat rule, but what do I do with pf? >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?75502aa3-0e10-fbba-d56b-5716e91e7b27>